Tutoring site has a super security problem, companies install not-so smart products and update your browsers
Welcome to Cyber Security Today. It’s Monday August 20th. To hear the podcast, click on the arrow below:
The business world is a tough place to be in. Sometimes competition is cut-throat. But that doesn’t mean security provisions have to be cut-rate. That’s what appears to have happened in Britain after a web service called SuperProf, where people can list tutoring services they offer, took over a local competitor called The Tutor Page. As security writer Graham Cluley reports, Superprof then changed the passwords of Tutor Page teachers, letting them know in an email. But instead of spending money to make sure the new passwords were scrambled, the company merely added the word “super” to their first names. Like “superhoward.” True, the new password can be changed, but for a short time people were at risk with easily guessable passwords. The username is their email address. Angry subscribers are venting their rage on the Internet, which gives the company a black eye. That’s something SuperProf needs to be tutored about.
Making everything connected to the Internet is apparently the future of the world. However, it can be a dangerous world if devices aren’t secure. Here are two examples: An amusement park with Internet-connected lockers for the public to store items in nearly got stung by a cyber attack. The connection allowed management to know which lockers were being used or the locks were damaged. But according to a recent report from security vendor Darktrace, someone hijacked the link and could have used it to access to the corporate network. Similarly, a parking lot’s Internet-connected payment kiosk was found to be connecting to suspicious web sites. It could have been used to get into the company’s network. There was no security on that kiosk device at all, said Darktrace’s David Masson in an interview. Obviously companies are still not examining all the risks of Internet-connected devices. One solution, Masson said, is for technology buyers to refuse to purchase devices that can’t be made secure and can’t be patched. Another is for IT departments to have better visibility into what’s going on on their networks. And a third is to improve the training of IT staff.
In June I reminded listeners that the popular mobile video game Fortnite for Apple devices hadn’t yet been released for Android, so they shouldn’t download pretenders. Well, earlier this month creator Epic Games released its Android version, but it’s available only from the Epic Games site and not Google Play. However, criminals are pushing Web sites that claim to have the game. In fact what you get is something loaded with malware. It’s a reminder to be careful of where you download anything from the Internet.
Finally, there’s another reason to make sure you’re running the latest version of your browser. A security researcher at Imperva has discovered a vulnerability that could allow an attacker to find out personal information on you from web sites like Facebook. On some sites users can set preferences, such as their age, location or interest, and use that as a filter to restrict receiving messages. People making posts can target their messages to those who are in a group. However, for complex reasons this data can be accessed and possibly identify people. Browsers like Chrome have plugged this hole. So make sure your browser is up to date.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.